12-18-2007 11:26 AM - edited 03-05-2019 08:04 PM
I am doing an audit and found out that a switch was running two different subnets on the same VLAN. I told the customer that it was a bad design, will cause many broadcast, security risk. But is there any other things I can point or a link that will support my case?
Solved! Go to Solution.
12-18-2007 12:34 PM
Etienne
While many people would agree that it is not particularly good design to have 2 subnets in the same VLAN, many networks do run this way and the problems are not necessarily severe. It is important that you and the customer understand the reason why it was set up this way and whether it is worth it to change the design and implementation.
Many people assume that devices in different subnets are isolated from each other. And this is sometimes built into the security policy. But when two subnets are in the same VLAN then they are in the same broadcast domain and they are not necessarily isolated from each other. Whether this is really a security risk depends a lot on what devices are in the subnets and whether the devices ought to be isolated. You and the customer should be able to figure this out.
The number of broadcasts will depend more on the number of devices and will not change particularly because there are 2 subnets. But since the reason for dividing the network into subnets is usually to reduce the scope of the broadcast domain, putting 2 subnets into the same VLAN does not break up the broadcast domain and so may not achieve one of the goals of deploying subnets.
One other potential downside to having 2 subnets in the same VLAN is that the amount of traffic through the switch/router interface may increase more than it would have been. When a device in one subnet wants to communicate with a device in the other subnet in that VLAN it could ARP and communicate directly. But many devices will send the packet to its default gateway (switch/router interface) and the gateway will forward back out the same interface. So the interface utilization will be elevated higher than it would be if the devices in the same VLAN were also in the same subnet.
HTH
Rick
12-18-2007 12:34 PM
Etienne
While many people would agree that it is not particularly good design to have 2 subnets in the same VLAN, many networks do run this way and the problems are not necessarily severe. It is important that you and the customer understand the reason why it was set up this way and whether it is worth it to change the design and implementation.
Many people assume that devices in different subnets are isolated from each other. And this is sometimes built into the security policy. But when two subnets are in the same VLAN then they are in the same broadcast domain and they are not necessarily isolated from each other. Whether this is really a security risk depends a lot on what devices are in the subnets and whether the devices ought to be isolated. You and the customer should be able to figure this out.
The number of broadcasts will depend more on the number of devices and will not change particularly because there are 2 subnets. But since the reason for dividing the network into subnets is usually to reduce the scope of the broadcast domain, putting 2 subnets into the same VLAN does not break up the broadcast domain and so may not achieve one of the goals of deploying subnets.
One other potential downside to having 2 subnets in the same VLAN is that the amount of traffic through the switch/router interface may increase more than it would have been. When a device in one subnet wants to communicate with a device in the other subnet in that VLAN it could ARP and communicate directly. But many devices will send the packet to its default gateway (switch/router interface) and the gateway will forward back out the same interface. So the interface utilization will be elevated higher than it would be if the devices in the same VLAN were also in the same subnet.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: